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Simple  Timing  Channels 


Ira  S.  Moskowitz 

Information  Technology  Division 
Naval  Research  Laboratory 
Washington,  DC  20375 

Abstract 

We  discuss  ihe  different  ways  of  defining  channel  ca¬ 
pacity  for  certain  types  of  illicit  communication  chan¬ 
nels.  We  also  correct  some  errors  from  the  literature, 
offer  new  proofs  of  some  historical  results,  and  give 
bounds  for  channel  capacity.  Special  function  tech- 
nigues  are  employed  to  express  the  results  in  closed 
form.  We  conclude  with  examples. 

1  Introduction 

Even  the  most  securely  designed  computer  systems 
may  inadvertently  contain  covert  (communication) 
channels  between  specific  users/processes  of  different 
security  levels.  Such  covert  channels  can  thwart  efforts 
to  prevent  higher  level  information  from  being  accessi¬ 
ble  to  a  lower  level.  Specifically,  as  in  [26],  we  consider 
a  multi-user  computer  system,  where  there  are  two  spe¬ 
cific  user/processes  designated  High  and  Low.  We  as¬ 
sume  that  Bell-LaPadula  type  security  procedures  [2] 
have  been  set  up  so  that  Low  may  not  read  High’s  Hies 
and  High  may  not  write  to  Low’s  files.  However,  it 
may  be  possible  for  High  to  pass  information  to  Low 
over  a  covert  channel  that  unintentionally  exists  in  the 
system. 

In  this  paper  we  are  interested  in  a  specific  type  of 
covert  channel,  a  timing  channel.  A  timing  channel  ex¬ 
ists  if  it  is  possible  for  High  to  interfere  with  the  system 
response  time  to  an  input  by  Low.  Therefore,  a  timing 
channel  is  a  communication  channel  where  the  output 
alphabet  is  constructed  from  different  time  values  (see 
[30]).  Timing  channels  with  noise  and/or  memory  have 
been  studied  by  the  security  community,  for  example 
[22].  However,  the  thrust  of  this  paper  is  the  analysis 
of  timing  channels  that  are  discrete,  memoryless,  and 
noiseless.  We  will  call  such  a  timing  channel  a  simple 
timing  channel  (STC). 

From  a  security  viewpoint,  the  capacity  of  a  covert 
channel  is  the  standard  metric  with  which  to  measure 
its  potential  damage.  In  fact,  the  value  of  the  capacity 
leads  to  different  levels  of  secure  system  certification 
[7].  However,  STC’s  may  crop  up  on  their  own,  e.g.  in 
the  disk  arm  channel  [8],  or  as  in  the  recent  paper  by 
Mathur  and  Keefe  [20].  Further,  STC’s  can  be  used 
as  capacity  bounds  for  more  complicated  types  of  tim- 
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ing  channels  [13];  i.e.  STC’s  may  give  a  worst  case 
scenario.  STC’s  therefore  warrant  special  attention. 

Implicit  in  the  study  of  timing  channels  is  the  assump¬ 
tion  that  Low  always  receives  the  same  response;  it 
is  the  time  at  which  Low  receives  the  response  that 
forms  the  output  alphabet.  If  Low  receives  different 
responses,  all  taking  the  same  amount  of  time,  then 
we  are  in  the  situation  of  a  “storage  channel”  [17].  If 
Low  receives  different  responses  at  different  times,  then 
the  resulting  covert  channel  is  termed  a  mixed  channel. 
We  will  examine  mixed  channels  in  future  work. 

EXAMPLE  1:  Say  that  Low  wishes  to  play  Chess. 
Chess  can  have  multiple  users,  the  effect  being  that 
response  time  increases  from  1ms  to  2ms  when  there 
is  more  than  one  user.  By  High  playing  or  not  playing 
Chess  while  Low  is  playing,  High  can  send  a  2  symbol 
alphabet  to  Low.  If  there  are  other  users  besides  High, 
and  Low  cannot  distinguish  them  from  High,  then  this 
transmission  is  noisy.  In  fact,  if  we  look  at  capacity 
in  units  of  bits/transmission,  we  simply  have  the  Z- 
channel  [10,  4]  (a  two  symbol  channel  where  one  of  the 
symbols  is  transmitted  perfectly).  However,  the  capac¬ 
ity  in  terms  of  bits/ms  is  more  complicated  [28]. 

As  mentioned,  an  important  measure  of  the  potential 
damage  of  a  STC  is  the  (channel)  capacity.  In  our 
studies  of  STC  capacity,  we  noticed  some  inconsisten¬ 
cies  in  the  definition  of  capacity  [27].  We  discuss  this 
and  also  offer  a  novel  and  simple  proof  of  one  of  the 
major  theorems  concerning  the  capacity  of  STC’s  (and 
certain  communication  channels  in  general),  thus  pro¬ 
viding  a  firm  theoretical  foundation  on  which  to  base 
our  covert  channel  analysis. 

We  give  bounds  for  the  capacities  of  STC’s  when  exact 
closed  form  solutions  are  intractable  or  unnecessary. 
Often,  for  security,  an  upper  bound  on  capacity  will 
suffice.  We  have  given  an  example  of  this  in  previous 
work  [13].  However,  when  one  institutes  system  modi¬ 
fications  to  lessen  the  capacity  of  STC’s,  performance 
tends  to  suffer  [12,  13].  Therefore,  the  tighter  we  can 
make  the  capacity  bounds,  the  better.  We  make  a  de¬ 
tailed  study  of  both  upper  and  lower  bounds  by  ex¬ 
amining  the  roots  of  trinomials.  Finally,  we  apply  our 
work  to  STC’s  from  the  database  world. 
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Note  1  The  notation  log  will  always  mean  the  base  2 
logarithm  and  In  will  mean  the  natural  logarithm.  We 
assume  that  there  is  a  way  of  measuring  time,  and  the 
unit  of  time  is  a  tick  and  all  measurements  are  integral 
multiples  of  one  tick. 

2  Asymptotic  Definition  of  Capacity 
for  a  STC 

In  a  STC,  High  (transmitter)  has  an  input  alphabet 
consisting  of  the  symbols  {si ,  ...,  sj,}.  Low  (receiver) 
has  the  output  alphabet  {C,  ....,  t^},  where  each  dis¬ 
tinct  integer  tj  is  the  amount  of  time,  in  units  of  ticks, 
for  the  symbol  Sj  to  be  transmitted  over  the  channel 
and  tj  <  tji  if  j  <  j' .  We  say  that  the  above  STC  has 
an  alphabet  of  size  k  and  use  the  notation  T(t\,  .  .  . ,  t j,) 
to  denote  the  above  STC  when  we  wish  to  be  specific. 

Only  one  response  is  being  sent  to  Low,  but  High  is  able 
to  vary  the  time  tj  it  takes  for  that  response  to  arrive 
at  Low.  Since  Low  can  distinguish  between  the  differ¬ 
ent  tj  values,  this  is  equivalent  to  a  discrete  noiseless 
channel  with  k  different  symbols,  each  taking  distinct 
times  to  be  transmitted  over  the  channel  [27]. 

A  transmission  through  the  STC  can  be  viewed  as  a  se¬ 
quence  whose  terms  are  Sj ’s.  Since  the  STC  is  memory¬ 
less,  the  choice  of  symbols  being  sent  is  unconstrained; 
thus,  all  sequences  are  allowed.  The  length  of  the  se¬ 
quence  is  defined  as  the  sum  of  the  tj ’s  corresponding 
to  the  Sj ’s  comprising  the  sequence.  Thus,  the  length 
of  the  sequence  is  equal  to  the  total  transmission  time 
of  the  sequence. 


Definition  1  With  respect  to  a  given  STC,  let  S  be 
the  set  of  all  sequences  whose  terms  are  from  the  set 
of  symbols.  Let  Sn  be  the  subset  of  S  consisting  of  se¬ 
quences  whose  length  is  n,  n  £  T+ ,  and  let  1 5'rj, J  denote 
the  cardinality  of  Sn.  Also,  if  s  £  S,  we  let  |s[  denote 
the  length  of  s. 


Since  information  is  passed  over  the  STC  by  sending 
different  sequences  of  symbols,  we  see  that  the  ratio 
\Sn\/n,  as  n  gets  large,  gives  a  measure  of  the  amount 
of  information  being  sent  [27].  This  leads  us  to  the 
following  definition. 


Definition  2 

given  by 


(Krause)  The  capacity  (C)  of  a  STC  is 


C  =  lim  sup 

n— >OQ 


log  I  Sn  | 

n 


(i) 


The  units  of  capacity  are  bits  per  tick.  To  specifically 
identify  the  capacity  of  T(t\,  .  .  .  ,  tj,)  we  will  use  the 
notation 

Shannon’s  original  paper  used  the  ordinary  limit  in¬ 
stead  of  the  limit  superior.  The  ordinary  limit  does 
not  exist  for  many  channels  of  interest.  Our  definition 


is  a  restatement  of  Krause’s  [15]  definition  of  capac¬ 
ity  (see  also  [29]).  The  following  example  shows  the 
problem  of  using  the  ordinary  limit. 

EXAMPLE  2:  Say  that  we  only  have  two  symbols 
si  and  «2,  and  that  t\  =  a  and  t?  =  b.  Take  any 
s  G  Sn,  where  s  consists  of  c(i)  terms  of  s8-.  Hence 
n  =  c(l)a  +  c(2)b.  We  see  that  the  greatest  common 
divisor  of  a  and  b  must  also  divide  n.  Therefore,  a 
necessary  (but  not  necessarily  sufficient)  condition  for 
Sn  0  is  that  n  be  a  multiple  of  the  greatest  com¬ 
mon  divisor  of  a  and  b.  For  instance  if  a  =  2  and 
b  =  4,  |  S2n +i  |  =  0  (even  time  values  can  never  give 
a  sequence  of  odd  length).  Therefore,  the  limit  of 
(log  ISVj  |)/n  is  not  always  defined.  We  also  see  that 
in  general  1 5'rj,  |  cannot  be  asymptotic  to  An,  where  A  is 
the  positive  root  of  an  associated  characteristic  poly¬ 
nomial,  as  Shannon  states  [27]. 

Note  2  Our/Krause’s  definition  of  capacity,  Equation 
(1),  is  well-defined  because  if  there  are  m  symbols  then 
|  Sn  |  <  mn ,  and  (log  \Sn\)/n  <  log  m  .  Hence,  C  is  well- 
defined  and  bounded  from  above  by  logm. 


Others  have  gotten  around  the  problem  with  the  ordi¬ 
nary  limit  versus  the  limit  superior  by  slightly  redefin¬ 
ing  | Sn  |  so  that  it  is  non-decreasing  [9,  5].  In  fact,  in 
[6],  where  the  problem  with  the  ordinary  limit  is  also 
noted,  Csiszar  goes  into  a  detailed  analysis  of  differ¬ 
ent  measures  of  1 5'rj,  |  leading  to  equivalent  definitions 
of  capacity. 

Since  log  is  an  increasing  function  and  (log  \Sn\)/n  = 
log  x/rsvTT  ,  we  can  also  express  the  capacity  as 

C  =  log  lim  sup  | Sn  |  .  (2) 

n— >oo 

We  extend  the  definition  of  1 5'rj,  |  to  all  integers  by  let¬ 
ting  |5_|„||  =  0,  if  n  ^  0,  and  defining  |5o|  =  1-  This 
extension  makes  sense  because  the  empty  sequence  is 
the  only  sequence  of  length  zero,  and  there  are  no  se¬ 
quences  of  negative  length.  Therefore,  the  1 5'rj,  |  satisfy 
the  following  recurrence  relation 


|Sn|  =  5>n-*,-l  +  *0n  (3) 

i 

where  8on  is  the  Kronecker  delta  which  is  needed  to 
make  both  sides  of  the  equation  equal  to  one  when 
n  =  0. 

Now  let  us  apply  the  z-transform  [24]  to  both  sides  of 
Equation  (3)  and  we  arrive  at  the  formal  equations 


\Sn\z 

n  =  0 


oo  oo 

j  n= 0  n=0 

oo 

j  n  =  0 
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oo 

=  £^Els^n  +  1- 

j  n  =  0 

These  give  us  the  formal  equation 


\Sn\z 

n  =  0 


1 

1  -  E  j z tj 


where  - — ^4^  is  referred  to  as  the  generating  function 

[11]  of  the  power  series  EEo  \^n\zn  ■  The  above  series 
manipulations  and  formal  equations  are  valid  in  the 
disk  about  the  origin  where  ’f2n=0  15/1-^"  is  analytic. 
Recall  the  root  test  for  convergence  of  a  power  series: 

Root  Test  —  The  power  senes  EEo  anZn  converges 
absolutely  for 


lim  suPjwoo  t/Kl 

and  diverges  if  the  inequality  is  reversed. 

The  number  l/limsupn^00  \/\an  |  is  called  the  radius 
of  convergence  of  the  power  series  'ffff-Q  anzn .  We  will 
show  that  the  radius  of  convergence  of  ’f2(f=0  |  Sn\zn , 
denoted  by  R,  is  non-zero  and,  is  in  fact,  equal  to  the 
(unique)  real  positive  root  of  1  —  JT  ztj . 


Lemma  1  R  >  0 


PROOF:  By  note  2  we  know  that  1/m  < 
l/limsupn^OQ  \/\Sn  |;  therefore,  the  power  series  con¬ 
verges  when  \z\  <  1/m,  so  R  >  0.  □ 


Hence,  there  is  a  neighborhood  about  the  origin  in 
which  EEolEI-z"  is  analytic.  Since  — ^4 — —  is  a 

■ <3 

rational  function  which  is  non-inhnite  at  the  origin,  we 
know  that  it  too  is  analytic  about  the  origin.  By  the 
uniqueness  of  power  series  representation  for  an  ana¬ 
lytic  function  [19,  Thm.  3.2.5],  the  MacLaurin  series 
of  - — i-4 — —  must  be  EEo  I Sn\zn .  Since  the  poles  of 

- — ^4  are  precisely  the  roots  of  1  —  JA  ztj ,  we  see 

that  the  root(s)  of  smallest  magnitude  determine  the 
largest  disk  about  the  origin  in  which 


1_E,- 


lytic.  Since,  for  a  function  of  a  complex  variable,  ana- 
lyticity  is  the  same  as  convergence  of  the  power  series, 
we  see  that  the  above  smallest  magnitude  is  exactly  R. 


Proof:  Let  the  magnitude  of  the  complex  number  z  be 
denoted  by  (,  (  >  0 

3 

-E  IT 

3 

i 

We  will  show  that  h{()  =  1  —  JA  Cf3  has  a  unique  pos¬ 
itive  root.  Note  that  h! {(f)  <  0  so  h{()  is  a  decreasing 
function.  This,  along  with  the  fact  that  h( 0)  >  0  and 
lim  h{()  <  0,  tells  us  that  h{()  has  a  unique  root  r  in 

►  OO 

(0,oo).  In  fact,  since  JA  1  >  2  we  see  that  h{  1)  <  0 
so  r  E  (0,  1).  A  root  of  h{()  is  obviously  a  root  of 
1  —  JA  ztj .  If  p  is  any  root  of  1  —  z tj  we  have  that 
0  >  1  —  JA  | pf3 ,  with  equality  only  for  \p\  =  r  (since 
h{()  has  a  unique  positive  root);  hence,  r  <  \p\  since 
h{()  is  a  decreasing  function.  □ 

So  R  =  r,  but  R  =  l/limsupn^OQ  \J \ Sn  \ .  This  tells 
us  that 

lim  sup  \/\Sn\  =  r_1 

n— >oo 

and  C  =  logr-1,  1  <  r_1.  By  noting  that  the  inverse 
of  the  positive  root  of  1  —  ztj  is  the  same  as  the  pos¬ 
itive  root  of  1  —  J/  x~t3 ,  x  £l,we  arrive  at  the  follow¬ 
ing  theorem  of  Shannon.  However,  Shannon’s  sketched 
proof  [27]  is  incomplete  because  it  relies  on  a  fact  from 
the  asymptotic  behavior  of  finite-difference  equations 
which,  as  we  discussed  earlier,  does  not  apply. 

Theorem  1  The  capacity  of  the  STC  T{t\,  .  .  .,tk)  is 
C  =  logw 

where  u>  >  1  is  the  unique  positive  root  of  1  —  x~t3 
(we  may  specifically  identify  lu  as  ljt)  )■ 

Krause  [15]  was  the  first  to  give  a  rigorous  proof  of  the 
above  theorem.  He  obtained  the  result  by  using  Dirich- 
let  series  instead  of  power  series.  However,  the  Dirich- 
let  series  approach  is  much  more  complicated  than  our 
proof.  Kuich  [16,  Thms.  1,5]  has  done  work  similar  to 
ours,  but  in  relation  to  the  entropy  of  context-free  lan¬ 
guages.  Although  Theorem  1  has  appeared  quite  often 
in  the  literature,  our  proof  is  simpler  and  more  direct 
than  the  previous  proofs. 

We  also  see  that  the  problem  of  channel  capacity  is 
actually  an  algebraic  problem.  Due  to  the  importance 
of  the  equation 


ii-E^i  >  ; 

3 

> 


\~Y^x~t3 

3=  1 


=  0 


Lemma  2  The  polynomial  1  —  E j  has  one  positive 
root  r  and  any  other  root  must  have  magnitude  at  least 
equal  to  |r|. 
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we  refer  to  it  as  the  characteristic  equation  of  the 
STC  and  will  denote  the  characteristic  polynomial 
1  —  JA  x~tj  as  x(x)-  The  characteristic  equation  may 
also  be  written  as 


_H(X) 

E(T) 


■tk  -  (V*-*1  + - h  1)  =  0 


Corollary  1.1  The  bounds  0  <  C  <  1  are  best  possi¬ 
ble. 


Proof:  First  we  will  show  that  C  E  (0,  1)  and  then 
that  these  bounds  are  tight.  Since  u>  >  1,  it  is  triv¬ 
ial  that  C  >  0.  We  wish  to  solve  x(x)  =  0,  already 
knowing  that  the  solution  is  in  (1,  oo).  Since  there  are 
at  least  two  output  symbols  x(l)  =  1  —  JA  l~tj  <  0. 
Since  JA  2~t]  <  2“*  =  1,  we  see  that  y(2)  >  0. 

Therefore,  u>  must  be  in  (1,  2)  hence  C'  <  1. 

We  can  always  make  C  as  close  to  0  as  we  wish  by  just 
choosing  larger  and  larger  values  of  tj .  For  example,  if 
the  channel  has  two  symbols  and  t\  =  q  and  =  2 q, 
the  characteristic  equation  is  x2q  —  xq  —  1  =  0  which  has 
positive  root  ( 1+^)1!q .  Therefore,  u>  —>■  1  and  hence 
CJ  — >■  0 ,  as  q  — >■  oo . 

To  show  that  1  is  the  least  upper  bound  of  C  is  a  little 
trickier.  Assume  that  the  STC  alphabet  has  n  symbols 
and  that  C  =  i.  Then  the  characteristic  equation  is 
xn  —  (*n_1  +  xn~2  +  ■  ■  ■  +  1)  =  0.  The  solution  in  the 
interval  (1,2)  is  the  same  as  the  solution  in  the  interval 
(1,2)  of  xn  —  XXZ\  =  0.  Therefore,  ui  must  obey  the 
equation  ui  =  2  —  A-,  (also  see  [3])and  because  ui  is 
bounded  away  from  1  we  see  that  u>  —>■  2  as  n  —>■  oo 
and  hence  C  —>■  1.  □ 

Note  3  The  above  can  be  extended  to  mixed  channels, 
or,  in  general,  to  finite  state  discrete  noiseless  channels 
(see  [22]  for  security  applications),  with  the  caveat  be¬ 
ing  that  the  characteristic  polynomial  can  have  coef¬ 
ficients  other  than  ±1.  Hence,  the  bounds  on  C  will 
also  change. 


3  Average  Mutual  Information 

Consider  a  discrete  memoryless  channel  where  X  rep¬ 
resents  the  input  random  variable  with  distribution 
P(X  =  Si)  =  pi,  and  Y  represents  the  output  ran¬ 
dom  variable.  Let  H(X)  denote  the  entropy  of  X  and 
I(X,Y)  the  mutual  information  (in  units  of  bits  per 
transmission).  The  mutual  information  in  units  of  bits 
per  tick  for  a  discrete  memoryless  channel  is 


_  I(X,Y) 
E(T) 


(4) 


(Since  the  channel  is  memoryless,  the  distribution  on 
X  is  stationary;  this  corresponds  to  the  unconstrained 
symbol  condition  mentioned  in  the  previous  section.) 
A  rigorous  study  of  Equation  (4)  for  the  memoryless 
channel  in  general  has  been  given  by  Verdu  [28].  In 
fact,  he  proves  generalizations  of  the  fact  that  the  max¬ 
imum  value  of  It  is  the  channel  capacity.  However,  for 
a  finite  state  discrete  noiseless  channel  Shannon  states 
and  proves  that  the  maximum  value  of  It  is  the  channel 
capacity  in  [27,  appendix  4],  see  also  [18].  Krause  [15] 
gave  a  beautiful  proof  of  the  following  theorem  solely 
by  relying  on  the  inequality  log*  <  x  —  l. 

Theorem  2  ( Shannon )  For  a  STC,  ma x/t  =  logw, 
where  u>  is  the  positive  root  of  the  characteristic  poly¬ 
nomial  1  —  JA  x~tj,x  >  0.  Furthermore,  the  distribu¬ 
tion  on  X  that  achieves  the  maximum  value  is  qiven 
by  pj  =  u>~tj . 

Therefore,  ma x/t  =  C  for  the  STC.  Thus,  we  see  two 
very  different  (the  asymptotic  and  mutual  information 
approaches),  but  equivalent,  ways  of  defining  capacity. 
Fully  understanding  the  theory  behind  the  definitions 
can  assist  in  making  the  proper  approximations  neces¬ 
sary  to  construct  models  of  covert  channels  [13].  For 
example,  by  using  the  mutual  information  definition  of 
capacity,  we  can  quickly  see  that  C  <  .  A  slight 

difference  in  the  approximation  of  covert  channel  ca¬ 
pacity  can  rapidly  increase  to  a  large  error  as  the  speed 
of  a  computer  system  increases.  Therefore,  we  must  be 
careful  in  the  mathematical  models  of  covert  channels 
that  we  propose  and  analyze. 

The  mutual  information  definition  of  capacity  is  the 
proper  way  to  look  at  channels  with  noise,  see  Equa¬ 
tion  (4).  The  asymptotic  approach  does  not  generalize. 
However,  it  is  Shannon’s  [27]  coding  theorems  that  give 
the  power  to  the  definitions  of  capacity  as  the  upper 
bound  on  errorless  communication  rates. 

EXAMPLE  3:  In  [25,  26]  we  looked  at  a  noisy  tim¬ 
ing  channel  where  the  first  symbol  arrived  between  1 
and  2  ticks  and  the  second  symbol  arrived  at  2  ticks. 
The  noiseless  version  of  this  channel  has  the  symbols 
arriving  at  1  and  2  ticks,  respectively,  [22].  The  char¬ 
acteristic  polynomial  of  this  channel  is  1  —  (x~2  +  *_1). 
The  positive  root  of  x(x)  is  1+2V^ ;  hence  C  =  log  . 
In  fact,  by  using  Theorem  2,  we  see  that  the  value  of 
p  that  maximizes  the  mutual  information,  pc,  is  given 

bypc=  (i±^)-1  =  -!±VI. 


where  E(T)  is  the  mean  time  for  a  symbol  to  be  trans¬ 
mitted  over  the  channel,  see  [25,  26,  28].  Of  course,  for 
a  STC  this  reduces  to 
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4  Bounds 

A  piece  of  software  that  is  unintentionally  inserted  into 
a  computer  system  and  which  is  capable  of  exploiting 


a  security  flaw  (such  as  a  covert  channel)  is  called  a 
Trojan  horse.  We  are  concerned  with  the  damage,  in 
terms  of  capacity,  that  a  Trojan  horse  might  cause.  Of 
course,  we  are  not  discussing  the  nature  of  the  infor¬ 
mation  being  passed,  only  the  rate  at  which  it  is  being 
passed.  Different  exploitations  of  a  security  flaw  can 
lead  to  different  covert  channels  and  hence  to  different 
capacities.  We  wish  to  study  the  different  exploitations 
possible  with  a  specific  type  of  flaw.  The  flaw  of  con¬ 
cern  is  one  that  allows  High  to  modulate  Low  response 
time. 

For  example,  a  simple  exploitation  allows  High  to  mod¬ 
ulate  the  response  time  by  only  one  value.  To  be  spe¬ 
cific,  let  a  be  the  smallest  amount  of  time  that  it  takes 
for  Low  to  receive  a  response  to  a  particular  input. 
Therefore',  if  High  does  nothing,  Low  will  receive  its 
response  after  a  time  duration  of  a  ticks.  Let  the  small¬ 
est  amount  of  time  that  High  can  add  to  this  response 
time  be  d.  Obviously,  the  Trojan  horse  wishes  for  d.  to 
be  as  small  as  possible  to  increase  the  capacity  of  the 
timing  channel. 

A  simple  exploitation  by  the  Trojan  horse  will  have 
High  affect  or  not  affect  Low’s  response  time.  This 
may  be  the  only  exploitation  available  to  the  Trojan 
horse.  This  is  the  STC  T(a,a  +  d)  with  a  2  symbol 
input  and  output  alphabet. 

Low  response  time 


0  a  a+d 


The  characteristic  equation  of  T{a,  a  +  d,  .  .  . ,  a  +  (n  — 
l)d)  is 

1  -  (x~a  +  x~(a+d^  +  . . .  +  aj-M"-1)*)  —  0  .  (5) 

It  is  obvious  that  CT(a,a+d,...,a+(n  —  l)d)  ^  ^T(a,a-\-d)j 
since  any  code  for  transmitting  over  T{a,  a  +  dj  is  also 
a  code  for  T{a,  a  +  d,  .  .  . ,  a  +  (n  —  l)d).  By  study¬ 
ing  the  roots  of  the  characteristic  polynomial  we  see 
that  C'V(a,a+d,...,a+(n-i)d)  is  in  fact,  strict  ly  greater  than 
CT(a,a+d)-  Therefore,  CT[a,a+d)  is  a  lower  bound  for 
CT{a,a+d,...,a+{n-i)d)-  Equation  (5)  may  be  written  as 
(since  x  >  1,  is  the  region  of  interest) 


As  we  increase  n,  the  positive  root  of  \(x)  also  in¬ 
creases.  This  follows  because 

n  —  1  n' —  1 

1  -  J2  x~{a+id)  >  1  -  x~la+id)  -  if  »'  >  »•  There- 
2=0  2=0 

fore,  we  know  that  when  a  and  d.  are  fixed  and  n  >  2, 
that  to  is  bounded  away  from  1.  By  this  we  mean  that 
there  exists  an  e  >  0  such  that  u>  E  [1  +  e,  2).  We  let 

M  denote  the  maximum  value  of  . ,F  on  the  closed 
interval  [1  +  e,  2].  Since 


Figure  1:  T(a,  a  +  d.)  Simple  Exploitation 
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-t  <  \-(a?)  <  1  - 
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M  x 
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The  characteristic  equation  of  T{a,  a  +  d)  is 

X°  +  d  _  xd  _  X  =  Q  _ 

A  more  complex  exploitation  arises  if  High  is  able  to 
delay  the  response  to  Low  in  multiples  of  d.  Then  the 
capacity  of  T{a,  a  +  d)  is  not  a  true  measurement  of  the 
possible  damage,  in  terms  of  capacity,  that  the  Trojan 
horse  can  cause.  For  example,  assume  that  High  can 
delay  the  response  to  Low  by  d,  2d,  .  . . ,  (n  —  l)d.  Hence, 
this  channel  has  an  alphabet  of  n  symbols  and  is  just 
T(a,  a  +  d,  .  .  . ,  a  +  (n  —  l)d) 

Low  response  time 


0  a  a+d  a+2d  ...  a+(n-l)d 


and  the  functions  are  increasing  for  x  E  (1,2),  we  see 

that  uj  approaches,  from  the  left,  the  root  of  1  —  d , 
as  n  -+-  oo. 

Therefore,  we  can  (tightly)  bound  the  capacity  for  this 
exploitation  by  investigating  the  positive  solution  of 


for  x  E  (1,2].  This  can  be  interpreted  as  the  character¬ 
istic  equation  of  a  STC  with  infinitely  many  symbols, 
each  one  taking  time  C  =  a  +  (i  —  1  )d,  because  this  is 
what  the  limiting  behavior  of  the  Equation  (5)  is.  We 
can  rewrite  Equation  (6)  as 

l-(i--a  +  i--d)  =  0  . 

Note  4  For  a  ^  d,  1  —  ( x~a  +  x~d)  is  \{x)  for  the 
STC  T(a,  d). 


Figure  2:  T(a ,  a  +  d,  .  .  . ,  a  +  (n  —  1  )d)  Complex 
Exploitation 
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This  result  is  very  useful  because  it  says  that: 


Theorem  3  The  capacity  for  a  STC  where  the  small¬ 
est  time  is  a  and  the  time  can  he  moderated  by  mul¬ 
tiples  of  d  is,  for  a  ^  d,  bound  from  above  by  the 
capacity  of  a  channel  with  a  2  symbol  alphabet  where 
t\  =  d  and  t?  =  a,  and,  for  a  =  d,  bound  from  above 
by  logf/2  =  a-1. 

Even  though  this  rate  of  information  transfer  may  in¬ 
volve  symbols  whose  duration  is  less  than  a,  there  is 
nothing  mysterious  going  on  because  we  are  simply 
dealing  with  a  huge  number  of  symbols.  For  exam¬ 
ple,  if  we  were  to  send  64  distinct  symbols  across  a 
channel,  each  symbol  taking  2  ticks,  the  rate  of  infor¬ 
mation  transfer  would  be  3  bits  per  tick,  even  though 
each  symbol  takes  2  ticks  to  pass  over  the  channel. 

Thus,  from  Theorem  3  and  our  previous  discussions  we 
have 


becomes  xd  —  xd  “  —  1  =  0.  Therefore,  we  will  study 
trinomial  equations  of  the  form 

xN  -  xN~Q  -  1  =  0,  N  >  Q  >  0  (7) 

with  N  and  Q  being  either  a  or  d,  depending  on 
whether  we  are  in  the  upper  bound  part  of  cases  1 
or  2,  and  N,  Q  are  a  +  d,  a  when  we  are  looking  at  the 
lower  bound  for  any  of  the  cases. 

6  Roots  of  the  Trinomial 

Although  many  authors  have  investigated  the  solu¬ 
tions  of  algebraic  trinomial  equation  (see  the  extensive 
bibliography  in  Belardinelli  [1]),  the  positive  root  of 
Equation  (7)  may  be  expressed  elegantly  by  employing 
Mellin’s  result  [21]  and  Wright’s  Psi  function.  Thus, 
for  real  k  the  positive  root  of  the  trinomial  equation 


Corollary  3.1 


..N 


^T(a,a-\-d )  C  Cr(a,a-t-(f, . . .  ,a  +  (n  —  l)(f)  C T(a,d )  ,0>zfd 

Gt  (a,2a,...,na) 


-1]  1  +  ^ 
«  log - o -  < 


<  a  1  ,  a  =  d  . 


V"  +ky 
is  given  by 

y  = 


A-Q  _  !  =  o 


N  >  Q  >  0 


(_L  N~Q\ 

\N’  JV  1 

L  (!  +  F’  A?) 


-  k 


N  ’  N 

where  Q  and  N  are  real  numbers  such  that 


(8) 

(9) 


5  Trinomial  Equations 

Summarizing  the  main  results  from  the  last  section, 
we  see  that  we  may  bound  the  capacity  of  the  STC 
T(a,  a  +  d,  .  .  . ,  a  +  nd )  by  log u>T(a,d)  from  above  and 
log  LOT(a,a+d)  from  below  for  a  yl  d.  Therefore  we 
wish  to  obtain  a  closed  form  solution  for  the  positive 
root  u>T(a,d)  of  1  —  (x~a  +  x~d)  and  the  positive  root 
UT(a,a  +  d)  Of  1  -  (x~a  +  *-(a  +  d))  . 

We  have  three  cases  to  consider. 

Case  1:  a  >  d 

This  arises  when  the  Trojan  horse  can  affect  the  re¬ 
sponse  time  by  an  amount  of  time  less  than  the  orig¬ 
inal  response  time.  An  example  of  this  would  be  if  a 
response  to  Low  involves  scanning  an  entire  disk,  and 
High  is  able  to  add  small  amounts  of  delay  to  the  re¬ 
sponse. 

Case  2:  a  <  d 

This  arises  by  modulating  the  response  time  by  values 
that  are  much  bigger  than  the  original  response.  This 
does  not  seem  to  be  as  likely  an  exploitation  as  Case 

1. 

Case  3:  a  =  d 

Here,  the  response  time  is  locked  into  fixed  multiples 
of  a.  Corollary  3.1  tells  us  the  bounds.  This  case  can 
itself  be  used  as  a  worst  case  scenario  by  letting  a  be 
the  quickest  possible  response  time.  Therefore,  we  are 
left  with  cases  1  and  2  to  analyze. 

We  wish  to  simplify  the  (upper  bound)  polynomials 
by  expressing,  as  before,  the  characteristic  equation 
1  —  (x~a  +  x~d)  =  0  using  positive  exponents.  In  case 
1  this  becomes  xa  —  xa~d  —  1  =  0  and  in  case  2  this 


\k\  <  {Q/N)-qIn(  1  -  Q/Nf^-1  <  2  .  (10) 


Wright’s  Psi  function  in  Equation  (9)  is  defined  by  the 
series  representation 


l 


(a,  A); 
W,B); 


Z 


,  (/?)  ,  (tt  +  An)  zn 

»  (“)  »  (P  +  Bn)  n\  ' 


Miller  and  Moskowitz  have  shown  in  [23]  that  the 
Wright  function  1'E][z]  may  be  expressed  in  various 
ways  as  a  finite  sum  of  generalized  Gaussian  hypergeo¬ 
metric  functions  when  A  and  B  are  rational  numbers. 
Hence,  setting  k  =  —  1  in  Equation  (8)  and  verifying 
that  the  inequality  (10)  holds,  the  positive  root  ui  of 
Equation  (7)  for  integers  N  >  Q  >  1,  may  be  written 
in  the  three  ways  show  in  figure  3. 

The  above  closed  form  solutions  enable  us  to  tightly 
bound  capacity.  The  closed  forms  are  useful  from  both 
a  numerical  and  theoretical  standpoint.  Since  they 
are  in  closed  form,  a  numerical  answer  can  be  easily 
calculated.  One  of  their  uses  is  in  seeing  how  sensi¬ 
tive/robust  the  bounds  are  to  slight  perturbations  in 
channel  exploitation.  This  is  especially  important  in 
light  of  the  exponential  growth  of  processor  speeds. 
In  other  words,  a  slight  difference  in  capacity  on  this 
year’s  machine  might  be  a  severe  problem  with  next 
year’s  faster  machine. 

Also,  the  closed  form  solutions  let  us  see  the  exact 
functional  relation  between  the  capacity  and  various 
channels  parameters.  This  is  apparent  by  examing 
the  closed  forms  presented  in  this  section.  One  could 
glean  some  information  through  numerical  methods, 
but  never  as  much  as  through  closed  form  expressions. 
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Figure  3:  Different  Expressions  for  the  Root  of  Equation  (7) 
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7  Database  STC’s 

A  database  is  updated  when  a  user  successfully  enters 
new  information  into  the  database.  Covert  channels 
may  arise  in  a  database  if  High  can  influence  Low’s 
ability  to  enter  new  information  and/or  the  time  at 
which  Low  gets  a  “receipt”  of  its  update.  In  [13],  High 
is  able  to  influence  the  time  at  which  Low  receives 
an  acknowledgement  of  its  update  by  removing  or  not 
removing  messages  from  an  intermediary  communica¬ 
tions  buffer.  This  results  in  a  noisy  timing  channel. 
Kang  and  Moskowitz  showed  how  STC’s  could  be  used 
as  a  worst  case  analysis  for  these  more  complicated 
timing  channels.  The  study  of  these  bounds  is  docu¬ 
mented  in  [13]. 

A  more  traditional  and  fundamental  approach  to 
database  security  involves  the  study  of  update  trans¬ 
actions.  Recently,  Mathur  and  Keefe  [20]  discussed 
specific  covert  channels  that  arise  in  a  database  sched¬ 
uler  implementing  certain  concurrency  control  and  re¬ 
covery  protocols.  These  covert  channels,  which  are  in 
fact  STC’s,  arise  from  the  desire  to  ensure  atomicity. 
(Atomicity  means  that  a  transaction  either  happens  or 
does  not  happen,  it  does  not  partially  happen.) 

Mathur  and  Keefe  identify  and  analyze  in  detail  three 
specific  types  of  STC’s  arising  from  High  manipulat¬ 
ing  subtransactions:  the  delayed  sibling  subtransaction 
STC;  the  delayed  reader  subtransaction  STC;  and  the 
compensation  STC.  We  will  examine  only  the  delayed 
reader  subtransaction  STC  here.  Mathur  and  Keefe 
argue  that  their  channels  suffice  for  a  worst  case  anal¬ 
ysis.  In  their  statement  immediately  preceding  section 
4.1  of  [20]  they  assert: 

However,  if  we  use  exactly  two  symbols  in  the 
channel  and  ensure  that  the  durations  of  these 
symbols  is  the  smallest  possible,  i.e.,  there  ex¬ 
ists  no  covert  channel  scenario  which  requires 
fewer  operations  to  transmit  a  symbol,  then 
indeed  we  have  achieved  the  maximum  band¬ 
width  possible  m  the  channel.  It  turns  out 
that  this  is  possible  to  establish  for  each  of 
the  above  scheduling  schemes. 

Presumably  they  are  limiting  themselves  to  channels 
with  two  symbols.  If,  in  fact,  High  can  send  more 
than  two  symbols  the  capacity  increases.  (Keefe  and 
Mathur  have  noted  this  problem  in  later  work  [14]) 
Our  Corollary  3.1  shows  the  limits  of  this  increase.  Let 
us  examine  the  Mathur  and  Keefe  delayed  reader  sub¬ 
transaction  STC  in  detail. 

The  delayed  reader  subtransaction  STC: 

In  this  series  of  subtransactions  Low  writes  a  data  item, 
commits  the  update,  reads  the  update,  and  records  the 
the  time  it  waited.  All  four  of  these  actions  take  a 
standard  amount  of  time  top.  However,  it  is  possible 
for  High  to  delay  the  Low  commit  by  one  unit  of  top . 
Thus,  we  have  a  STC  with  t\  =  Atop  and  t?  =  5 top.  Of 
course  top  is  a  certain  fixed  number  of  ticks.  We  assume 
that  one  tick  is  one  ms  for  the  sake  of  comparison  with 


Mathur  and  Keefe.  Therefore,  top  is  j  ms,  where  j 
depends  on  the  subtransaction  speed  of  the  database. 
The  characteristic  equation  for  this  STC  is  1  —  {x~Atol,-\- 
x  5^ o p )  —  o  Let  £  =  xtov,  then  C  =  j—  log  rj  bits/ms, 
where  r/  is  the  positive  root  of  f  —  1.  This  gives  us 

C  =  —  223.18  bits/second 
7 

by  using  both  Mathematica  and  MathCad.  Note  that 
Mathur  and  Keefe  express  their  values  in  tabular  rather 
than  functional  form  and  they  get  217.59  bits/second 
instead  of  our  223.18  bits/second  when  7  =  1.  We 
attribute  this  to  round-off  errors. 

In  our  terminology  a  =  4  and  d  =  1,  so  we 

can  upper  bound  the  capacity  by  ^CT(4top,top)  = 

7  464.96  bits/second.  Therefore,  we  see  that  using 
just  a  two  symbol  input  alphabet  is  far  from  a  worst 
case  scenario.  If  High  is  able  to  send  symbols  taking 
4,5,6, ...,n  units  of  top,  with  n  large,  the  above  upper 
bound  must  be  considered  as  the  true  worst  case  ex¬ 
ploitation  by  the  Trojan  horse. 

8  Summary 

In  this  paper  we  have  analyzed  the  twofold  importance 
of  STC’s,  both  in  and  of  themselves  and  as  bounds 
for  more  complicated  types  of  timing  channels.  We 
have  shown  how  STC’s  themselves  can  be  bound  by 
two  symbol  STC’s,  the  capacity  of  which  we  found  by 
studying  the  roots  of  trinomials.  We  offer  closed  form 
solutions  for  these  trinomials.  We  have  presented  dif¬ 
ferent  ways  of  defining  capacity  and  have  cleared  up 
Shannon’s  original  definition  of  capacity.  Further,  we 
have  presented  a  new  proof  of  a  fundamental  result 
from  information  theory.  We  conclude  this  paper  by 
applying  our  analysis  and  bounding  results  to  a  previ¬ 
ously  studied  STC. 
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